1 files changed, 0 insertions, 92 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
deleted file mode 100644
index f3d2bb1375..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001
-From: Bin Meng <bmeng.cn@gmail.com>
-Date: Wed, 3 Mar 2021 20:26:35 +0800
-Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time
- out
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-At the end of sdhci_send_command(), it starts a data transfer if the
-command register indicates data is associated. But the data transfer
-should only be initiated when the command execution has succeeded.
-With this fix, the following reproducer:
-outl 0xcf8 0x80001810
-outl 0xcfc 0xe1068000
-outl 0xcf8 0x80001804
-outw 0xcfc 0x7
-write 0xe106802c 0x1 0x0f
-write 0xe1068004 0xc 0x2801d10101fffffbff28a384
-write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
-write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
-write 0xe1068003 0x1 0xfe
-cannot be reproduced with the following QEMU command line:
-$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
-      -device sdhci-pci,sd-spec-version=3 \
-      -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
-      -device sd-card,drive=mydrive \
-      -monitor none -serial none -qtest stdio
-Cc: qemu-stable@nongnu.org
-Fixes: CVE-2020-17380
-Fixes: CVE-2020-25085
-Fixes: CVE-2021-3409
-Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
-Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
-Reported-by: Simon Wörner (Ruhr-Universität Bochum)
-Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
-Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
-Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
-Acked-by: Alistair Francis <alistair.francis@wdc.com>
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
-Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8]
-CVE: CVE-2021-3409
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
---
- hw/sd/sdhci.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index f83c5e295..44f8a82ea 100644
--- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
-     SDRequest request;
-     uint8_t response[16];
-     int rlen;
-+    bool timeout = false;
- 
-     s->errintsts = 0;
-     s->acmd12errsts = 0;
-@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
-             trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
-                                    s->rspreg[1], s->rspreg[0]);
-         } else {
-+            timeout = true;
-             trace_sdhci_error("timeout waiting for command response");
-             if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
-                 s->errintsts |= SDHC_EIS_CMDTIMEOUT;
-@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
- 
-     sdhci_update_irq(s);
- 
-    if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
-+    if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
-         s->data_count = 0;
-         sdhci_data_transfer(s);
-     }
-- 
-2.29.2

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch deleted file mode 100644 index f3d2bb1375..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch +++ /dev/null
@@ -1,92 +0,0 @@
1	From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001
2	From: Bin Meng <bmeng.cn@gmail.com>
3	Date: Wed, 3 Mar 2021 20:26:35 +0800
4	Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time
5	out
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	At the end of sdhci_send_command(), it starts a data transfer if the
11	command register indicates data is associated. But the data transfer
12	should only be initiated when the command execution has succeeded.
13
14	With this fix, the following reproducer:
15
16	outl 0xcf8 0x80001810
17	outl 0xcfc 0xe1068000
18	outl 0xcf8 0x80001804
19	outw 0xcfc 0x7
20	write 0xe106802c 0x1 0x0f
21	write 0xe1068004 0xc 0x2801d10101fffffbff28a384
22	write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
23	write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
24	write 0xe1068003 0x1 0xfe
25
26	cannot be reproduced with the following QEMU command line:
27
28	$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
29	-device sdhci-pci,sd-spec-version=3 \
30	-drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
31	-device sd-card,drive=mydrive \
32	-monitor none -serial none -qtest stdio
33
34	Cc: qemu-stable@nongnu.org
35	Fixes: CVE-2020-17380
36	Fixes: CVE-2020-25085
37	Fixes: CVE-2021-3409
38	Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
39	Reported-by: Alexander Bulekov <alxndr@bu.edu>
40	Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
41	Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
42	Reported-by: Simon Wörner (Ruhr-Universität Bochum)
43	Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
44	Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
45	Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
46	Acked-by: Alistair Francis <alistair.francis@wdc.com>
47	Tested-by: Alexander Bulekov <alxndr@bu.edu>
48	Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
49	Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
50	Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
51	Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
52
53	Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8]
54	CVE: CVE-2021-3409
55
56	Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
57	---
58	hw/sd/sdhci.c \| 4 +++-
59	1 file changed, 3 insertions(+), 1 deletion(-)
60
61	diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
62	index f83c5e295..44f8a82ea 100644
63	--- a/hw/sd/sdhci.c
64	+++ b/hw/sd/sdhci.c
65	@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
66	SDRequest request;
67	uint8_t response[16];
68	int rlen;
69	+ bool timeout = false;
70
71	s->errintsts = 0;
72	s->acmd12errsts = 0;
73	@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
74	trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
75	s->rspreg[1], s->rspreg[0]);
76	} else {
77	+ timeout = true;
78	trace_sdhci_error("timeout waiting for command response");
79	if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
80	s->errintsts \|= SDHC_EIS_CMDTIMEOUT;
81	@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
82
83	sdhci_update_irq(s);
84
85	- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
86	+ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
87	s->data_count = 0;
88	sdhci_data_transfer(s);
89	}
90	--
91	2.29.2
92